Geisinger Health Systems, a Pennsylvania-based hospital, recently suffered a massive breach. Now, they are facing multiple class action lawsuits.
What happened
Geisinger, which offers a health plan for over 500,000 members, has 10 hospital campuses, two research centers, and a School of Medicine, recently faced a data breach.
The hospital released a notice of a data breach, estimating that data from 1.2 million patients may have been exposed.
Exposed data varied, but may have included names, dates of birth, addresses, admission and discharge information, medical record numbers, race, gender, phone numbers, and facility information. Insurance, financial information, and Social Security numbers were not part of the breach.
How it started: insider threats
The attack originated with Nuance Communications Inc., an outside vendor providing information technology services and owned by Microsoft.
According to reports, Geisinger revealed that the attack came from a former Nuance employee and occurred on November 29th, 2023. The employee successfully accessed patient data for two days after being terminated. When Nuance discovered the employee had accessed data, they immediately revoked privileges.
Despite this, Geisinger reported to the U.S. Department of Health and Human Services that the breach had impacted 1,276,026 individuals.
The breach notification came over six months after the breach was discovered, but Nuance said this was purposeful, as law enforcement feared immediate notification could have impeded the investigation.
While the Breach Notification Rule requires HIPAA-covered entities and their associates to provide notice within 60 days of discovery, it’s common for notices to be delayed. Organizations generally claim that notifications can harm an investigation, but it can also result in impacted individuals feeling blindsided by the news.
According to a local news source, Jonathan Friesen, Geisinger's chief privacy officer said, “Our patients’ and members’ privacy is a top priority, and we take protecting it very seriously.”
Perpetrator faces charges
Soon after the breach was discovered, Max Vance, 44, was named the main suspect. Vance had several aliases, including Andre J. Burk and El Cajon.
Vance was detained on January 30th, 2024, and was found to possess several false IDs and a machine to produce them in his California residence. Vance also had a thumb drive with information about the employer who fired him.
The lawsuit alleges the value of the breach exceeds $5 million. His trial is scheduled for November 4th, 2024, in Williamsport, Pennsylvania.
“We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry this happened,” said Friesen.
Victims seek restitution
Currently, there are six lawsuits against Geisinger, with many stating the delay in notifications led to an increased risk of identity theft. One victim claims to have experienced multiple fraudulent financial transactions and an increase in spam. She claimed the delay functionally “ensured” the unauthorized individuals could misuse the sensitive information.
Others also blame Nuance, claiming both had an obligation to protect private data.
In another class action lawsuit, plaintiffs are seeking a jury trial and damages in response to the breach, claiming both organizations were negligent and violated consumer protection laws. Geisinger has said it's reviewing the lawsuit but made no further comment.
For healthcare organizations, class action lawsuits are becoming common after data breaches, adding to the already significant costs of a breach. The rise in lawsuits has mostly been connected to an increase in public awareness. Organizations are often finding themselves the target of not one, but multiple suits. According to a report, it’s also more likely for a class action suit to come to fruition even if only limited data was accessed. Before this, only extreme breaches would result in a flurry of suits. A 2023 report found that class action suits were on track to double 2022 numbers, with approximately 44.5 suits filed a month. Likely, these numbers will only increase in 2024.
Lawsuits like these can have positive effects by encouraging healthcare organizations to prioritize data security, but the financial implications can be troubling, especially for smaller companies. On average, breaches in the healthcare sector now cost $10.93 million to resolve.
Rising threats to third parties
Larger healthcare organizations are reliant on third parties, like Nuance, for administrative, communication, and IT assistance. These partnerships have become a necessity, allowing hospitals to focus primarily on providing quality care.
On top of this, there is a national shortage of cybersecurity experts, making it important for organizations to outsource these jobs.
Read more: Healthcare Cybersecurity Trends: What to Expect in Q3 and Q4
While these partnerships are critical, they can open organizations to increased risk; not every organization understands the severity of risks or uses the right technology to manage them. To help ensure data security, healthcare organizations should always sign a Business Associate Agreement, outlining each organization’s obligations toward data security. For healthcare organizations that use third parties, they are only ever as safe as their business associates.
How Cloudticity Can Help
Insider threats, such as those posed by former employees, can be mitigated with proper cybersecurity hygiene and identity and access management (IAM) practices.
Cloudticity offers IAM security through our cloud managed security for healthcare, and we've never suffered a data breach. Using a proven security tech stack, processes, and cybersecurity experts, we keep your healthcare data safe, quickly addressing and mitigating any threats.
Cloudticity is also HITRUST certified, so your organization can inherit many of the protections of HITRUST simply by using our services.
As a company dedicated to protecting healthcare organizations, we have tools specifically designed to alleviate modern staffing and technology concerns. By outsourcing your cybersecurity needs, you no longer have to worry about obtaining and retaining highly qualified cyber experts. With saved time and money, you can focus on what really matters: driving innovation and serving your patients.
Learn more about how Cloudticity’s Managed Security for Healthcare can help you address cybersecurity needs. Reach out today for a free consultation.
